Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

run-gemini-cli GitHub Action

Source -

CNA

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
1Vulnerabilities found

CVE-2026-12537
Assigner-f45cbf4e-4146-4068-b7e1-655ffc2c548c
ShareView Details
Assigner-f45cbf4e-4146-4068-b7e1-655ffc2c548c
CVSS Score-10||CRITICAL
EPSS-0.13% / 3.23%
||
7 Day CHG-0.18%
Published-24 Jun, 2026 | 13:37
Updated-02 Jul, 2026 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

Action-Not Available
Vendor-Google CloudGoogle LLC
Product-run-gemini-cligemini-clirun-gemini-cli GitHub ActionGemini CLI
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')